The present invention relates generally to computer security, and more particularly to deactivating evasive malware.
Security experts rely on analysis environments (such as malware analysis sandboxes) to uncover malware behaviors and generate corresponding signatures for future detection. However, most emerging malware is equipped with evasive logic to determine current execution environments. Once malware finds itself running within an analysis environment, the malware may choose not to execute and expose its malicious logic. Based on a recent study, over 80% of malware exhibits evasive behaviors in the second half of 2015. There is extensive prior work on detecting user-level sandboxes, system-level virtual machines, and hardware-level debugging extensions. Advanced evasive malware can fingerprint these analysis environments and cloak its malicious behaviors. Without the lab analysis results (i.e., malware signatures), it will be extremely difficult to detect such malware running on physical end hosts.